🔐 Access Control List (ACL)
🔐 Access Control List (ACL)
🧠 Top 5 Key Points
-
Traffic Filtering:
ACLs filter network traffic by allowing or denying packets based on criteria like IP address, protocol, or port. -
Security Control:
They help protect networks by restricting unauthorized access to specific network segments or devices. -
Types of ACLs:
-
Standard ACLs (1–99): Filter traffic based only on source IP address.
Standard ACL apply close to the destination
-
Extended ACLs (100–199): Filter traffic based on source IP , destination IP , and port/protocol.
Extended ACLs apply close to source
Cisco introduced Extended ACLs to provide much more control.
They can filter by:
- ✅ Source IP
- ✅ Destination IP
- ✅ Protocol (TCP, UDP, ICMP, IP)
- ✅ Port number (80, 443, 22, etc.)
-
-
Direction of Application:
ACLs can be applied inbound (incoming packets) or outbound (leaving interface). -
Order Matters:
ACLs are processed top-down; the first match decides the action — unmatched packets are denied by default.Quick Comparison
Requirement Standard ACL Extended ACL Filter by source IP ✅ ✅ Filter by destination IP ❌ ✅ Filter by TCP/UDP ❌ ✅ Filter by port (80, 443, 22) ❌ ✅ Simpler configuration ✅ ❌
⚙️ Technical Summary
| Feature | Description |
|---|---|
| OSI Layer | Layer 3 (Network Layer) |
| Purpose | Traffic filtering & security |
| Placement | Router interfaces |
| Default Behavior | Implicit “deny all” at end |
| Common Use | Restrict access between subnets or to servers |
🧰 Packet Tracer Lab – ACL Example
🎯 Goal:
Block traffic from one LAN to another while allowing all other traffic.
🖥️ Network Topology
IP Address Plan
| Device | Interface | IP Address | Network |
|---|---|---|---|
| R1 | G0/0 | 192.168.1.1 | 192.168.1.0/24 |
| G0/1 | 192.168.2.1 | 192.168.2.0/24 | |
| PC1 | NIC | 192.168.1.10 | 192.168.1.0/24 |
| PC2 | NIC | 192.168.2.10 | 192.168.2.0/24 |
🪜 Step-by-Step Configuration
🔹 1. Basic Router Configuration
🔹 2. Create a Standard ACL
Block all outgoing traffic from 192.168.1.0/24 (LAN1) to LAN2, but allow others.
🔹 3. Apply ACL to an Interface
Apply it outbound on interface G0/1 (towards LAN2).
🔹 4. Verify ACL Configuration
➡ Displays ACL entries and hit counts.
➡ Verifies ACL applied to the correct interface.
💡 Testing
-
From PC1 (192.168.1.10) → try to ping 192.168.2.10 (PC2) → ❌ should fail (blocked by ACL).
-
From Router (or another network) → ping PC2 → ✅ should succeed.
Create a Standard ACL
PC1 (LAN1 -192.168.1.0/24) -- Router-- Web server (10.0.0.0/24)
PC -> Router -> cross over
PC -> Web Server -> cross over
Block all incoming traffic from 10.1.1.10/8 (Server) to LAN 1,
🧠 Learning Summary
| Concept | Description |
|---|---|
| ACL Purpose | Filter network traffic |
| Standard ACL | Based on source IP only |
| Extended ACL | Based on source IP, destination IP & port numbers |
| Direction | Inbound or outbound |
| Default Rule | Implicit deny at the end |
💬 Teaching Tip
“Think of an ACL as a security guard at a router port — it checks every packet’s ID (IP, protocol, port) before letting it pass.”
Comments
Post a Comment